Link to home
Start Free TrialLog in
Avatar of DMCKIB88
DMCKIB88

asked on

cross site scripting (XSS)

Help . . .
Application appears to be vulnerable to cross site scripting (XSS)
I need to HTML encode data before sending it to the browser

Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents

This is the page how do I change to stop this. Below page
______________________________________________

include("./_include/core/main_start.php");

class CPhotoEdit extends CHtmlBlock
{
      function select_channel_name($channel_id)
      {
            $result_channel = DB::query("SELECT name FROM videogallery_channels WHERE id = ".to_sql($channel_id, "Number")." and status = 'ACTIVE'");
            $row_channel = DB::fetch_row();
            return $row_channel;
      }

      function parseBlock(&$html)
      {
            global $g;
            global $g_user;

            $fla = get_param("fla", "");
            $show = get_param("show", "");
            $cat = get_param("cat", "");
            $start = get_param("start", "");
            if (empty($fla)) $fla="top_plays";
            if (empty($show)) $show="all";
            if (empty($cat)) $cat=0;
            if (empty($start)) $start=0;

            $result=DB::query("SELECT * FROM videogallery_channels WHERE status = 'ACTIVE'");
            $num_cat=DB::num_rows();
            if ($num_cat>0)
            {
                  $html->setvar("fla", $fla);
                  $html->setvar("show", $show);
                  $html->setvar("cat_id", 0);
                  $html->parse("all_categories", true);
                  while ($row=DB::fetch_row())
                  {
                        $html->setvar("fla", $fla);
                        $html->setvar("show", $show);
                        $html->setvar("cat_id", $row['id']);
                        $html->setvar("cat_name", $row['name']);
                        $html->parse("categories", true);
                  }
            }

            $eu = ($start - 0);
            $limit = 15;
            $this_page = $eu + $limit;
            $back = $eu - $limit;
            $next = $eu + $limit;

            if (!empty($cat))
            {
                  $channel_name = $this->select_channel_name($cat);
                  $ch_nm =  $channel_name[0];
                  $add_query=" and (videogallery_video.channels LIKE ".to_sql("%,".$ch_nm.",%")." or videogallery_video.channels LIKE ".to_sql("%,".$ch_nm)." or videogallery_video.channels LIKE ".to_sql($ch_nm.",%").")";
            }
            else
            {
                  $add_query="";
            }

            $title="";
            if($fla=="top_plays")
            {
                  if ($show=="today")
                  {
                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_watch.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_watch.data))<=1 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
                        $title="Today's Top Plays";
                  }
                  elseif ($show=="week")
                  {
                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_watch.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_watch.data))<=7 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
                        $title="Weekly Top Plays";
                  }
                  elseif ($show=="month")
                  {
                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_watch where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_watch.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_watch.data))<=31 $add_query GROUP BY videogallery_watch.vid ORDER BY temp DESC";
                        $title="Monthly Top Plays";
                  }
                  elseif ($show=="all")
                  {
                        $query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `no_of_times_viewed` DESC";
                        $title="All Top Plays";
                  }
            }
            elseif($fla=="just_added")
            {
                  $query_video = "select * from videogallery_video where status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_video.video_date))<=1 $add_query";
                  $title="New Today";
            }
            elseif($fla=="most_comments")
            {
                  if ($show=="today")
                  {
#                        $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_video.status = 'ACTIVE' AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_comments.data))<=1 $add_query GROUP BY videogallery_video.id ORDER BY `temp` DESC";
                        $query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_comments.data))<=1) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
                        $title="Today's Most Comments";
                  }
                  elseif ($show=="week")
                  {
#                        $query_video = "SELECT *, count( * ) AS temp FROM `videogallery_video` , `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_video.status = 'ACTIVE' AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_comments.data))<=7 $add_query GROUP BY videogallery_video.id ORDER BY `temp` DESC";
                        $query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_comments.data))<=7) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
                        $title="Weekly Most Comments";
                  }
                  elseif ($show=="month")
                  {
                        $query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE' and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_comments.data))<=31) AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
                        $title="Monthly Most Comments";
                  }
                  elseif ($show=="all")
                  {
                        $query_video = "SELECT *, (SELECT count( * ) FROM `videogallery_comments` WHERE videogallery_comments.comment_id = videogallery_video.id AND videogallery_comments.comment_type = 'VIDEO' AND videogallery_comments.status = 'ACTIVE') AS temp FROM `videogallery_video` WHERE videogallery_video.status = 'ACTIVE' $add_query ORDER BY `temp` DESC";
                        $title="All Most Comments";
                  }
            }
            elseif($fla=="top_rated")
            {
                  if ($show=="today")
                  {
#                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=1 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
                        $query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=1) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=1)>0 $add_query ORDER BY temp DESC";
                        $title="Today's Highest Rated";
                  }
                  elseif ($show=="week")
                  {
#                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=7 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
                        $query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=7) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=7)>0 $add_query ORDER BY temp DESC";
                        $title="Weekly Highest Rated";
                  }
                  elseif ($show=="month")
                  {
#                        $query_video = "select *, count( * ) AS temp from videogallery_video, videogallery_rated where videogallery_video.status = 'ACTIVE' and videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=31 $add_query GROUP BY videogallery_rated.vid ORDER BY temp DESC";
                        $query_video = "select *, (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=31) AS temp FROM videogallery_video WHERE videogallery_video.status = 'ACTIVE' and (select count( * ) from videogallery_rated where videogallery_video.id=videogallery_rated.vid and (TO_DAYS(CURDATE())-TO_DAYS(videogallery_rated.data))<=31)>0 $add_query ORDER BY temp DESC";
                        $title="Monthly Highest Rated";
                  }
                  elseif ($show=="all")
                  {
                        $query_video = "select * from videogallery_video where status = 'ACTIVE' $add_query ORDER BY `rate` DESC";
                        $title="All Highest Rated";
                  }
            }

            $query_video_all=$query_video;
            $query_video.=" limit ".to_sql($eu, "Number").", ".to_sql($limit, "Number")."";

            $result=DB::query($query_video_all);
            $nume=DB::num_rows();

            $xx=1;
            $result_video = DB::query($query_video);
            while ($row_video = DB::fetch_row())
            {
                  $result_comment = DB::query("SELECT * FROM videogallery_comments WHERE comment_type = 'VIDEO' and comment_id = '".$row_video['id']."' and status = 'ACTIVE'",1);
                  $num_comment = DB::num_rows(1);

                  $html->setvar("video_id", $row_video['id']);
                  $html->setvar("video_image", $row_video['video_image']);
                  $html->setvar("video_title", $row_video['title']);
                  $html->setvar("video_plays", $row_video['no_of_times_viewed']);
                  $html->setvar("video_comments", $num_comment);

                  $xx++;
                  if ($xx==4)
                  {
                        $html->parse("line_videos", true);
                        $xx=1;
                  }
                  else $html->setblockvar("line_videos", "");

                  $html->parse("videos", true);
            }

            $html->setvar("fla", $fla);
            $html->setvar("show", $show);
            $html->setvar("cat_id", $cat);
            $html->setvar("this_count", $eu+1);
            if ($next<$nume)
            {
                  $html->setvar("next_count", $next);
            }
            else
            {
                  $html->setvar("next_count", $nume);
            }
            $html->setvar("all_count", $nume);
                if ($nume/$limit>5) {
                      $tostart=$eu;
                      $tonume=(1+round($eu/15))*15;
                }
                else {
                      $tostart=0;
                      $tonume=$nume;
              }

              if ($tostart>0) {
                  $html->setvar("toleft", $tostart-15);
                  $html->parse("left_2", true);
            }
            $l=$tostart/15+1;

            for($i=$tostart;$i < $tonume;$i=$i+$limit)
            {
                  $html->setblockvar("page_1", "");
                  $html->setblockvar("page", "");
                  if($i <> $eu){
                        $html->setvar("i", $i);
                        $html->setvar("l", $l);
                        $html->parse("page", true);
                        $html->setblockvar("page_1", "");
                        $html->parse("pages_1", true);
                  }
                  else {
                        $html->setvar("l", $l);
                        $html->setblockvar("page", "");
                        $html->parse("page_1", true);
                        $html->parse("pages_1", true);
                  }
                  $l=$l+1;
            }
            if ($nume>$tonume) {
                  $html->setvar("toright", $tonume);
                  $html->parse("right_2", true);
            }
            if($back >=0) {
                  $html->setvar("back", $back);
                  $html->parse("prev", true);
            }
            if ($back >=0&&$this_page < $nume)
            {
                  $html->parse("separator", true);
            }
            if($this_page < $nume) {
                  $html->setvar("next", $next);
                  $html->parse("next", true);
            }
            $html->parse("pages", true);

            parent::parseBlock($html);
      }
}

class VidoHeader extends CHtmlBlock
{

      var $sMessage = "";

      function VidoHeader($name, $html_path)
      {
            $this->CHtmlBlock($name, $html_path);

      }

      function parseBlock(&$html)
      {
            global $g;
            global $g_user;

            $fla = get_param("fla", "");
            $show = get_param("show", "");
            $cat = get_param("cat", "");
            $start = get_param("start", "");
            if (empty($fla)) $fla="top_plays";
            if (empty($show)) $show="all";
            if (empty($cat)) $cat=0;
            if (empty($start)) $start=0;

            $result_cat=DB::query("SELECT * FROM videogallery_channels WHERE status = 'ACTIVE' and id=".to_sql($cat)."");
            $num_cat=DB::num_rows();
            if ($num_cat>0){
                  $row=DB::fetch_row();
                  $show_cat=$row['name'];
            }
            else{
                  $show_cat="All Categories";
            }

            $html->parse("navy", true);
            $html->setvar("cur_page", "videogallery_video_view.php");
            $html->setvar("fla", $fla);
            $html->setvar("show", $show);
            $html->setvar("show_cat", $show_cat);
            $html->setvar("cat", $cat);
            $title="";
            if($fla=="top_plays")
            {
                  if ($show=="today")
                  {
                        $title="Today's Top Plays";
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="week")
                  {
                        $title="Weekly Top Plays";
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="month")
                  {
                        $title="Monthly Top Plays";
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="all")
                  {
                        $title="All Top Plays";
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
            }
            elseif($fla=="just_added")
            {
                  $title="New Today";
                  $html->parse("top_plays_a", true);
                  $html->parse("top_plays_a1", true);
                  $html->parse("top_plays", true);
                  $html->parse("just_added", true);
                  $html->parse("most_comments_a", true);
                  $html->parse("most_comments_a1", true);
                  $html->parse("most_comments", true);
                  $html->parse("name_cat", true);
                  $html->parse("top_rated_a", true);
                  $html->parse("top_rated_a1", true);
                  $html->parse("top_rated", true);
            }
            elseif($fla=="most_comments")
            {
                  if ($show=="today")
                  {
                        $title="Today's Most Comments";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="week")
                  {
                        $title="Weekly Most Comments";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="month")
                  {
                        $title="Monthly Most Comments";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="all")
                  {
                        $title="All Most Comments";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated_a", true);
                        $html->parse("top_rated_a1", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
            }
            elseif($fla=="top_rated")
            {
                  if ($show=="today")
                  {
                        $title="Today's Highest Rated";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="week")
                  {
                        $title="Weekly Highest Rated";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="month")
                  {
                        $title="Monthly Highest Rated";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month", true);
                        $html->parse("all_a", true);
                        $html->parse("all_a1", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
                  elseif ($show=="all")
                  {
                        $title="All Highest Rated";
                        $html->parse("top_plays_a", true);
                        $html->parse("top_plays_a1", true);
                        $html->parse("top_plays", true);
                        $html->parse("just_added_a", true);
                        $html->parse("just_added_a1", true);
                        $html->parse("just_added", true);
                        $html->parse("most_comments_a", true);
                        $html->parse("most_comments_a1", true);
                        $html->parse("most_comments", true);
                        $html->parse("top_rated", true);
                        $html->parse("show_cat_r", true);
                        $html->parse("today_a", true);
                        $html->parse("today_a1", true);
                        $html->parse("today", true);
                        $html->parse("week_a", true);
                        $html->parse("week_a1", true);
                        $html->parse("week", true);
                        $html->parse("month_a", true);
                        $html->parse("month_a1", true);
                        $html->parse("month", true);
                        $html->parse("all", true);
                        $html->parse("name_cat", true);
                        $html->parse("show_for", true);
                  }
            }
            $html->parse("show_cat", true);

            $html->setvar("title", $title);
            $html->parse("title", true);


            parent::parseBlock($html);
      }
}

$page = new CPhotoEdit("", $g['tmpl']['dir_tmpl_main'] . "videogallery_video_view.html");
$header = new CHeader("header", $g['tmpl']['dir_tmpl_main'] . "_header.html");
$page->add($header);
$footer = new CFooter("footer", $g['tmpl']['dir_tmpl_main'] . "_footer.html");
$page->add($footer);

$users_ims = new CIms("ims", $g['tmpl']['dir_tmpl_main'] . "_ims.html");
$page->add($users_ims);

$vidoheader = new VidoHeader("videogallery_vido_header", $g['tmpl']['dir_tmpl_main'] . "videogallery_vido_header.html");
$page->add($vidoheader);

include("./_include/core/main_close.php");

?>
Avatar of HackneyCab
HackneyCab
Flag of United Kingdom of Great Britain and Northern Ireland image
This looks like a homework question. You're not allowed to ask people to do your homework for you.
ASKER CERTIFIED SOLUTION
Avatar of steelseth12
steelseth12
Flag of Cyprus image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DMCKIB88
DMCKIB88

ASKER

This is not my homework, but I had my program written for me and HackerSafe says that the program should not run, because of the cross site scripting. I will give you any points to solve this for me. If you need more of the program please let me know which part. Thanks
Avatar of steelseth12
steelseth12
Flag of Cyprus image
Thanks for ignoring my comments goodnight and good luck.
SOLUTION
Avatar of HackneyCab
HackneyCab
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DMCKIB88
DMCKIB88

ASKER

I entered the same title, because it was the same question on different files. I do have experience, but If this is a security issue I thought that maybe with the experts on this site that I could come up with other ideas.
Sorry if this is too much. Thanks,
Avatar of Oscurochu
Oscurochu
Flag of United States of America image
I think two of the three questions should be deleted, perhaps the two that really don't have any good answers?

I only see the need for one of these posts. Another user said this is "homework." You can decide on this, however.
Avatar of DMCKIB88
DMCKIB88

ASKER

HTML encode data before sending it to the browser.

Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out open and closing parenthesis or convert them to their encoded equivalents.

This is their suggestion.
SOLUTION
Avatar of Oscurochu
Oscurochu
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial